When Hadoop started, it had a security problem. The spin from the various Hadoop vendors and proponents tended to be something like, “We see security as a front-end application issue.” This is what you say when you don’t have a good answer.

Since then, solutions like Apache Knox and Cloudera Manager have provided answers for authentication and authorization for basic database management functions. The underlying Hadoop Filesystem now incorporates Unix-like permissions.

This hasn’t completely quashed the issue, largely because of the way entrepreneurs think: If you can’t come up with a new idea, then plunk the S-word after the name of a new technology and you have a “BOLD IDEA FOR A NEW STARTUP!!!!” Rummage through the dustbin of recent history and you’ll find startups devoted to SOA security, AJAX security, open source security, and so on. Now we have big data security startups — and the money will roll right in! How do you launch a security startup? Scare people, of course.

The real security problem with Hadoop in particular and big data in general isn’t with everyday access rights — that took all of 10 minutes for the vendors and open source community to solve. The big problem is that when you aggregate a lot of data, you lose context. While I doubt many people are aggregating a lot of data without any context, aggregating any data means losing some context. A highly scalable architecture like Hadoop makes it feasible to store context, too, but checking all that context with each piece of data is an expensive proposition.

Here’s what you need to know about context: Though you learn all about authentication and authorization in any basic computer science course, the most important details are often skirted. Yes, you can get access to the database as a certain user, and yes, you can get access to the BankAccounts table, but which rows can you access? The more data you aggregate, the challenge of preserving granular rights and permissions grows.

How do you keep all of those data ownership and data context rules in place without killing the performance that caused you to choose a big data solution in the first place? Well, there are emerging technology solutions, such as Accumulo, created by the big data community — including everyone’s favorite member, the NSA.

Luckily, this has all been thought of before in research and in great detail. In fact, almost exactly one decade ago this was a hot topic. When you’re building your big data project that aggregates gobs of data from various places in the company and wondering about security, I suggest simply searching on “datawarehouse security.” Though 70 percent of the results will be vendor pitches or complaints about RBAC, you’ll find plenty of results that explain exactly how this was done before. Much of that previously published material describes neither technologies nor tools, but methodologies — and those more or less translate directly to big data.

This article, “Trust me: Big data is a huge security risk,” was originally published at InfoWorld.com. Keep up on the latest news in application development and read more of Andrew Oliver’s Strategic Developer blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Tuesday, February 18, 2014: Developers come across a plethora of bugs and issues while creating hundreds, or even thousands, of lines of code! The same can be quite frustrating. In such a situation, making use of bug and issue tracking within your workflow leads to a better end product.

New, sophisticated ATM heist used a malware-laden USB stick to hijack the machine — one arrest is made

In what could be a sign of what’s ahead in ATM fraud, a highly sophisticated and well-funded criminal gang targeted an overseas bank and commandeered at least four of its ATM machines with malware-rigged USB sticks in order to empty them of cash.
Tillmann Werner, a researcher for CrowdStrike, says the organized crime group cracked open the ATM machines and plugged in the USB stick containing a DLL exploit payload. The payload reconfigured the ATM system such that the attackers control it and allowed money mules to steal all of the cash stored in those machines. There has been a single arrest so far — a money mule — and the attacks may possibly have incurred millions of dollars in losses. These attacks are expected against other banks as well, he says.

“They crack the ATM open and plug in the USB drive. It’s risky, but nevertheless, it works,” Werner says.
Werner declined to name the victim bank or the brand of ATM machines it runs. The attacks still appear to be under way, he says. “The fact that such a sophisticated group is operating right now is the most important fact. Another thing that’s interesting is banks in Germany potentially have the same issue, although we haven’t seen an attack like that in Germany so far,” Werner says.

The attackers physically took apart the ATM machines and inserted a USB stick with a malicious DLL installer into the printer port, giving them control of the ATM’s Windows XP-based operating system. When a network connection is interrupted to the ATM, it automatically reboots, doing so from the malicious USB. The installer program collects information from the ATM system and also contains a log file for the attackers.
“It’s a DLL injection file attack into the running process [of the ATM], and then you have code running in that process, and they can do what they want,” Werner says.

One member of the gang in the heist was caught when he went to one of the ATMs to cash out. The cash-out works like this: An attacker types in a 12-digit code that then displays the malicious menu on the ATM screen. He answers a challenge question, and then calls one of his accomplices for a response code, which he inputs to dispense the cash from the ATM. The entire transaction of emptying the ATM takes a few short minutes.
Unlike the ATM Ploutus malware that was discovered last year that targeted bank customers during their ATM transactions, this attack goes after the bank’s cash in the ATMs. “It’s not related to Ploutus,” he says, which is “child’s play” compared with this new, more advanced method that steals from the bank itself.

“Attacks against ATMs mostly have been skimming attacks,” he says. “With this attack, you can empty a whole ATM and make a lot of money … It definitely takes a mafia-like organization to pull off such an attack.”
The victim bank discovered the heist when its ATMs prematurely went empty of cash. “It doesn’t leave any [other] traces,” Werner says. The only clue is that the balance in the machine declines — the theft transaction isn’t detected.

There are ways to prevent such an attack, but with ATMs not built with software security in mind, it’s tough to defend against it today. “You have to secure the PC, but that’s easier said than done,” Werner says. The best bet is to add a boot password to the system, which would prevent this attack, or to encrypt the ATM’s hard drive.
The attack could work on banks in the U.S. as well, he says. The attackers have different versions of the malware for different banks, he says. “It has nothing to do with the banking system. They’re going after the machine that spits out the money,” he says. “Maybe they’re not attacking U.S. ATMs because they use less cash in their ATMs.”